Vendors host your data, run your enterprise software, and handle other mission critical tasks. They’re not just part of your risk profile — they’re one of the riskiest parts. And unlike internal risk management, you usually can’t directly monitor vendors, service providers, or third parties.
An onboarding questionnaire isn’t enough anymore. Vendor management needs to be an ongoing strategy to ensure your partners continue to live up to their obligations. Here’s how to analyze, mitigate, and manage vendor risk.
What counts as a vendor?
Partner terminology can be a little tricky, so we’ll start with an easy one: service provider. A service provider is an entity that provides a B2B service, such as cleaning your offices or hosting your applications. Anything that ends with “as a service” comes from a service provider.
The meaning of “vendor” and “supplier” can vary depending on the business, industry, and context. In some cases, the distinction has to do with what the entity is providing. If they’re providing a finished product, they’re a vendor. If they’re providing raw material, they’re a supplier.
So for example, a restaurant fills its beer taps and soda fountains from a supplier, but stocks its cooler with bottled beverages from a vendor. Vendor is also sometimes used to mean “reseller.” For example, a company selling support packages or computing hardware.
In the context of vendor management, however, a vendor is anyone who provides products and services that your company depends on, whether they’re business-facing or customer-facing. It doesn’t matter whether they’re supplying your ERP, tech support, or finished products for your customers — they’re a vendor.
The reason is simple: any company that provides a product or service you rely on can potentially affect your risk profile. Therefore, it needs to be overseen by your vendor management program. Hence, they’re all vendors.
The term “third party” has a similar meaning, but it’s a little narrower than “vendor.” A third party is an outside entity acting in a direct relationship with your organization, on behalf of your organization. Third parties might ship services to your customers, host your data, build your apps, or provide marketing materials for your company. All third parties are vendors, but not all vendors are third parties.
However, third parties often have their own third parties — outside organizations or individuals working on behalf of those companies. From your organization’s perspective, those are called “fourth parties.” Theoretically, you could talk about fifth, sixth, and seventh parties, but it really makes the terminology too complicated. Anyone beyond a fourth party is just called an nth party. So if your CRM provider contracts with a development company and that development company has its own contractors, those contractors are “nth parties.”
Why is third-party vendor risk management important?
Vendors, suppliers, and third parties all have the potential to disrupt your business in different ways. In some cases, the risk is small, or the potential disruption isn’t very significant. For example, if the company providing you office supplies delivers the wrong ink or misses an order, or your HVAC maintenance company misconfigures your heating system, it probably won’t cause any lasting harm to your company. However, if the company hosting your ERP software suffers a breach or unplanned downtime, it could cause major problems like compliance violations, lost business, damage to your reputation, and legal liability.
And even suppliers that seem to be low risk can pose unexpected hazards. For example, a maintenance company with access to your facilities may seem like a low-risk partner. However, a bad actor working for that company could potentially cause a security breach — for example, by using onsite computer resources to access sensitive data.
Vendor risk management enables you to understand all the possible risks each service provider poses, and the likelihood of each risk. It empowers you to choose responsible vendors, supervise and audit your partners, and take other action to mitigate risk.
What is the risk management framework?
Vendor risk management isn’t plug and play. Rather, it’s a gradual process of planning, implementing, and improving your vendor controls. The GRC 20/20 vendor risk-management framework identifies five stages of vendor management:
- Ad hoc
- Fragmented
- Defined
- Integrated
- Agile
Ad hoc
Ad Hoc risk management is reactive. Organizations do assessments when they have to but don’t have any higher-level strategy or systematic vendor risk monitoring program.
At this stage, risk management roles aren’t clearly defined, and the organization lacks the resources and skills to monitor third parties and ensure compliance.
Typically, that means there’s no standard framework or set of procedures and policies for rating vendors or risk management. Ad hoc organizations typically only do vendor assessments or reviews if they become aware of a major issue, such as a vendor breach. And even those risk management processes are done in an inefficient, manual way — think spreadsheets and emails.
Without the technology or processes in place for systematic risk monitoring, there are many blind spots. The organization is unaware of many of the risks it faces, and may not understand how to improve its risk management approach.
Fragmented
At the fragmented stage, your risk management program has started to make progress. You have an agreed upon vendor risk framework, and some standardized methods to segment, evaluate, and onboard vendors. Certain departments have good practices in place, and you’re starting to implement high-priority risk management measures like information security.
At this point, organizations face three main problems:
- Lack of standardization
- Lack of integration
- Lack of technology
Lack of standardization
Fragmented risk management is handled department by department, rather than on an integrated, organization-wide level. This leads to redundancy and duplication of work, with each department doing its own vendor vetting, onboarding, and risk management monitoring.
There are also performance gaps between departments, with some departments benefitting from resources and skills other departments lack. That leads to unpredictable gaps in your vendor management process. And with limited legal and security resources, it’s unlikely that all your key stakeholders fully understand their compliance duties or the risks they’re supposed to mitigate.
Lack of integration
At this stage, it’s very difficult to effectively evaluate your risks, needs, and priorities on an organization-wide level, making it hard to allocate resources effectively. Departments are unlikely to learn from each other, slowing improvement. Focus on building vendor management capacities on an enterprise-wide level so you can manage vendors consistently and strategically.
Lack of technology
Fragmented organizations still use manual, document-centric review processes. This makes vendor management processes slow and prone to human error — particularly in a siloed organization where departments can’t share information effectively.
This lack of technology also contributes to the standardization and integration problems, making it harder to unify different departments into an effective whole.
Defined stage
At the defined stage, your departments are getting good at third-party vendor risk management. Powered by vendor management technology, they have defined processes and roles in at least some areas, and are developing oversight of key areas like infosec and compliance. Departments are starting to think beyond the next vendor or supplier, developing a strategic approach to rating vendors, monitoring, and risk management.
The organizational picture is getting better too. Reporting and information sharing are becoming standardized as your company begins to adopt the technology and procedures to work on an organization-wide level. You’ve got most of the basics — now it’s time to drill down and optimize.
There are three major tasks for defined stage vendor management:
- Organizational governance
- Organization-wide strategy
- Better technology usage
Executive buy-in
At this stage, executives need to be deeply engaged in risk management. Senior stakeholders must bring together the different threads of your vendor management process, ensuring consistent reporting, setting and maintaining standards, allocating resources, and maintaining accountability.
You may also need to build a more formal structure for risk management responsibilities throughout the organization. In early stages, it’s common for stakeholders to pick up responsibilities in an ad hoc fashion. It’s time to document and formalize these responsibilities and fill in any gaps to ensure your vendor management program is sustainable.
Better technology usage
Most of the processes that go into vendor risk management can be improved using purpose-built software. Throughout the defined stage, you’ll need to work on moving away from spreadsheets and emails, using the software to simplify onboarding, reviews, and other processes.
As your vendor management tools become a repository for documentation, your reporting and data sharing capabilities will improve. You’ll also begin to map your work, data, and process flow, providing you a more complete view of how your vendors fit into your organization, and what risks and responsibilities each role entails.
Integrated stage
Your business has adopted an organization-wide risk management process. For the most part you effectively share metrics, frameworks, processes, and documentation across departments.
Governance is managed at the board level, using robust reporting to set the agenda, from the overall strategy to the individual criteria for segmenting third parties. Your company has formally allocated and structured risk management responsibilities, enabling you to make the most of your governance, compliance, and security assets. Every step is documented and organized, making your risk management processes fully auditable.
Filling in the gaps
At the integrated phase, there are probably a few gaps remaining in your third-party risk management strategy. For example, there may be departments with inadequate risk management, as well as isolated processes and siloed information. Additionally, you’re still not able to treat vendor performance as a differentiator. You can monitor and mitigate vendor risk, but you can’t yet analyze performance trends or compare vendors in a fully systematic way.
Agile maturity
Your organization now has a mature, integrated third-party risk management program. Governance, compliance processes, and monitoring are standardized across your organization. All roles are owned, and risk-management stakeholders collaborate effectively throughout the company. Your organization can track third-party performance and beyond, accounting for the risk of 4th and even nth-party vendors, suppliers, and service-providers.
This enables you to manage risk strategically, using regular meetings to set goals, make improvements, and update your process to evolving compliance standards and industry best practices.
Taking the next step: The three best practices to reduce partner risk
If you’re at the ad hoc or fragmented stage (and most companies are), vendor risk management can seem overwhelming. Here are three steps you can take to improve your vendor management posture:
- Assess cybersecurity risk
- Build or adopt a third-party risk management framework
- Monitor and manage vendor risk continuously
Assess cybersecurity risk
In order to mitigate risk, you need to understand it. A cybersecurity risk assessment will identify risks you may not be aware of, enhance your understanding of how your IT infrastructure and data fit together, and enable you to prioritize the most important risks.
Inventorying your assets
The first step is to inventory your IT assets and nodes. This should include:
- Data repositories, such as your CRM data
- Systems used to access and interact with the data, such as your CRM or ERP suite
- Access nodes, such as company workstations or employee-owned smartphones
- Systems that transfer data, such as company VPNs
- Connections with third-parties, including stakeholders, SaaS providers, hardware vendors, app integrations, and outsourced tech support or help desks.
- People who may have access (or attempt to gain access) to IT assets, including employees, customers/users, visitors, vendors, competitors, hackers, and administrators
- Mechanisms currently used to control access, such as automated onboarding and offboarding, password policies, and cybersecurity administration
As you inventory your IT assets, map out how they fit together. For example, when you inventory your CRM, you may find that the customer data enters the system through three different routes:
- The customer makes a purchase through your website. Their data travels through a third-party storefront integrated into the site, passing through various app integrations to tag, sanitize, and analyze the data, and into your CRM.
- The customer makes a purchase through your app. Their data travels through in-house software into your CRM.
- The customer makes a purchase through a channel partner. Their data goes through channel partner’s stack, which tags and sanitizes it before sending it to your CRM.
You’ll also need to account for the different ways your own internal stakeholders access the CRM data. For example, marketing and sales teams in different locations may use different software suites or third-party integrations to access and analyze customer data.
Administrators probably also have some degree of access, so they can provide and revoke credentials, or respond to deletion or right to know requests. You may also have third-party marketers or help staff with their own access methods. You’ll need to document each path the data takes, and what third-party vendors and internal stakeholder roles have access.
Inventorying cybersecurity risks
Once you’ve mapped your assets, it’s time to look for risks. How could the data be breached, vandalized, stolen, or destroyed?
Make sure to address the human factors. For example, third-party sales associates can access CRM data from personal laptops. Here are just a few ways that a malicious actor could compromise your security:
- Snooping on data sent over unsecured public wifi
- Brute forcing an insecure password
- Using social engineering to figure out a user’s security questions
- Using stored passwords on a sales associate’s laptop
- Taking advantage of an unpatched security vulnerability
- Exploiting a security misconfiguration
- hacking a low-level account, then using privilege escalation
Prioritizing cybersecurity risks
Now, it’s time to prioritize remediation. The most important risks fall into three risk categories:
- High likelihood
- Severe consequences
- Low-hanging fruit
Human factors and vendors should rank high on this list. Human factors like error and misuse are some of the highest likelihood risks, playing a part in 82% of breaches according to Verizon’s 2022 Data breach investigation report. Vendors are also a major factor, with 62% of system intrusions involving partners being compromised.
Human factors also tend to fit into multiple risk categories. For example, brute forcing an insecure password is a high likelihood risk with severe consequences. It’s also an easy risk to remediate, making it low-hanging fruit. Let’s break it down:
High likelihood
Unless your company is very small, it’s almost inevitable that some of your users have lousy passwords — they may be reusing a password that has been compromised elsewhere, using a very common password like “qwerty123,” or making their passwords out of information that’s easy to find, such as a spouse’s birthday.
Severe consequences
If a hacker gains access to an account with customer data, they can compromise huge amounts of personal information, potentially exposing you to regulatory penalties, reputation damage, legal liability, and other serious consequences. And even if the account doesn’t have access to sensitive data, a skilled hacker will be able to escalate their privileges.
Low hanging fruit
You can improve password security with three simple (and inexpensive) steps:
- Educate employees on good password practices, providing regular refreshers and integrating password security into new employee onboarding.
- Set high minimum requirements for passwords, ensuring employees use long strings with capital letters, numbers, and other characters.
- Require frequent password changes with an automated process. For example, you can send employees a notice to update their passwords every quarter. Any user who doesn’t update their password in the allotted time will be locked out until they contact an administrator to update their password.
Build or adopt a third-party risk management framework
You don’t have to reinvent the wheel to manage third-party vendor risk. There are a number of risk management frameworks, such as the NIST RMF and ISO 27001, that can help you establish procedures to safely manage your vendors.
Most risk management frameworks share a number of best practices, such as:
- Inventorying all your vendors
- Identifying cybersecurity risks that vendors could contribute to
- Setting minimum standards for vendor security
- Building a system to objectively assess vendors
- Defining a leadership structure to manage cybersecurity risk, regulatory compliance, and independent auditing
- Creating processes for addressing data breaches, and mitigating emerging vendor risks
You may wish to combine multiple risk management frameworks to address industry-specific requirements like HIPAA; nation or region-specific requirements like the GDPR; or technical requirements like GMP.
Monitor and manage vendor risk continuously
Risk is always evolving. Vendors let their standards slip. Hackers learn new exploits. Legislators pass new laws, and regulators change their priorities, tactics, and interpretations. And your own internal risks change as well, as your tech stack, personnel, and management priorities evolve.
To stay on top of vendor risk, you need to continuously monitor vendors. Vendors should regularly undergo independent audits, and your risk management stakeholders should meet periodically to review third-party performance, and mitigate any concerning or unacceptable risks.
You should also periodically review your own vendor risk management strategy. As new risks and new best practices emerge, you may need to revise your contracts, rework your vendor evaluation framework, alter your audit strategy, adopt new onboarding and offboarding procedures, or make other changes.
How does third-party risk management fit into privacy compliance?
Consumer privacy laws, like the CPRA, make vendors part of your privacy obligations. For example, when you receive a CPRA deletion request, you’re required to delete personal information from your systems and have any third parties you’ve shared it with delete the data as well.
That means you need to keep track of what information you share with third parties, and what information other partners share with you, and have a mechanism to ensure it is disclosed, reported, or deleted to fulfill consumer requests. In other words, you need to verify your vendors are treating consumer data the way they’re obligated to.
Additionally, you’re liable for the privacy violations of your service providers. For example, if your SaaS provider breaches your customers’ personal data, you’re likely to face liability.
More broadly, third-party risk management and privacy compliance are linked because risks don’t respect boundaries. Your service providers, partners, customers, and third parties are linked to your company in complex ways. If any one of these links is compromised, it can cause serious consequences for your company. To protect your whole organization, you need to integrate third-party risk management, privacy compliance, cyber security, and other governance functions into a seamless whole.
How third-party risk management software can help
Third-party risk management software centralizes and automates all the tasks that go into managing vendor risks. TerraTrue streamlines vendor vetting and monitoring, so you can track vendor performance, and stay within your risk tolerance. Our customizable workflows enable you to easily segment vendors and ask the right questions for each role, and track responses and results.
TerraTrue also serves as a repository for vendor reviews, policies, and other records, enabling you to build an enterprise-level vendor compliance strategy. The software enables you to easily incorporate privacy and compliance priorities into your vendor management, and automatically flag potential compliance violations for your privacy team to review.
And crucially, TerraTrue goes beyond vendor vetting, providing a complete toolset for your privacy and compliance program. That means you can ensure compliance in your apps, policies, vendors, and data map with one system. That makes it much easier to move beyond fragmented or ad hoc compliance to a mature or agile program.
From vendor compliance to consumer privacy, contact us to put all the pieces together.